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AMENDMENTS 
In the Claims 

1 . (Currently Amended) A network device comprising: 
a tunnel classification stag e, wherein 

said tunnel classification stage comprises 
a packet processing section, 

a security group identifier identification unit coupled to said packet 
processing section, and 

a tunnel classification unit coupled to said packet processing section 
and said security group identifier identification unit 
said packet processing section is configured to classify a packet based on a 

security group identifier (SGI) of said packet and 
said packet processing section is further configured to forward said packet 

through a tunnel via which said packet is to be forwarded, and 
said packet processing section is further configured use said SGI in 

determining said tunnel , 

2. -3. (Cancelled) 

4, (Currently Amended) The network device of claim [[3J] ±, wherein 
said packet processing section is further configured to forward said packet through said 
tunnel based on information in a header of said packet. 
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5. (Cancelled) 

6. (Currently Amended) The network device of claim 1, wherein a single router 
comprises said tunnel classification stage, 

7. (Currently Amended) The network device of claim 6, wherein said single router 
further comprises: 

a lookup unit. 

8. (Currently Amended) The network device of claim 7, wherein said lookup unit 
comprises: 

an access control list (ACL); and 

a content-addressable memory, wherein 

said content-addressable memory is coupled to access said access control list, and 
said content-addressable memory is configured to 
generate an index, and [[to]] 
provide said index to said ACL. 

9. (Currently Amended) The network device of claim 8, wherein 
said network device further comprises a memory. 

said ACL is stored in said memory. 

said content-addressable memory and said memory are coupled to one another. 

said ACL comprises[[:]] a plurality of ACL entries (ACEs), wh e r e in and 

each of said ACEs comprises a tunnel identifier field and a security group identifier field. 

10. (Currently Amended) A method comprising: 
assigning a security group identifier (SGI) to a packet; [[and]] 
classifying said packet based on said SGIi 

determining a routing of said packet wherein said determining is based on said 
SGI: and 

forwarding said packet via a tunnel identified by said routing, if forwarding a 
packet having said SGI via said tunnel is permitted . 
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1 1 . (Original) The method of claim 10, further comprising: 
determining whether said packet can be sent via a tunnel based on a result of said 

classifying said packet. 

12. -13. (Cancelled) 

14. (Original) The method of claim 11, wherein said determining comprises: 
generating an index, wherein said index comprises said SGI; and 

using said index to access an access control list (ACL), wherein said ACL includes 
information as to whether said packet can be sent via a tunnel. 

15. (Original) The method of claim 14, wherein said information comprises: 
an SGI field; and 

a tunnel identifier field. 

16. (Original) The method of claim 10, further comprising: 
forwarding said packet from an ingress router to an egress router via a tunnel. 

17. (Original) The method of claim 16, further comprising: 
receiving said packet at said egress router; and 

determining whether said packet can be forwarded by said egress router based on said 
SGI. 

18. (Original) The method of claim 1 7, wherein said determining whether said packet 
can be forwarded further comprises: 

determining whether said packet can be forwarded by said egress router based on said 
SGI, a destination of said packet and an identifier of said tunnel. 

19. (Original) The method of claim 17, wherein said determining whether said packet 
can be forwarded further comprises: 

generating an index into an access control list (ACL), wherein 
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said ACL comprises information regarding whether said packet can be forwarded 

by said egress router, and 
said index includes said identifier of said tunnel; and 
accessing said ACL using said index. 

20. (Currently Amended) A computer system comprising: 
a processor; 

computer readable storage medium coupled to said processor; and 
computer code, encoded in said computer readable storage medium, configured to cause 
said processor to: 

assign a security group identifier (SGI) to a packet; and 

generate a classification of said packet by virtue of being configured to 

classify said packet based on said SGI^ 
determine whether said packet can be sent via a tunnel based on said 

classification: and 

forward said packet via said tunnel, if forwarding a packet having said SGI 
via said tunnel is permitted . 

21. (Cancelled) 

22. (Currently Amended) The computer system of claim [[21]] 20, wherein said 
computer code is further configured to cause said processor to: 

determine a routing of said packet, wherein said classification is also based on said 
routing. 

23. (Cancelled) 

24. (Currently Amended) The computer system of claim [[21]] 20, wherein said 
computer code configured to cause said processor to determine is further configured to cause 
said processor to: 

generate an index, wherein said index comprises said SGI; and 
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use said index to access an access control list (ACL), wherein said ACL includes 
information as to whether said packet can be sent via a tunnel. 

25. (Original) The computer system of claim 24, wherein said information 
comprises: 

an SGI field; and 

a tunnel identifier field. 

26. (Original) The computer system of claim 20, wherein said computer code is 
further configured to cause said processor to: 

forward said packet from an ingress router to an egress router via a tunnel. 

27. (Original) The computer system of claim 26, wherein said computer code is 
further configured to cause said processor to: 

receive said packet at said egress router; and 

determine whether said packet can be forwarded by said egress router based on said SGI. 

28. (Original) The computer system of claim 27, wherein said computer code 
configured to cause said processor to determine whether said packet can be forwarded by said 
egress router is further configured to cause said processor to: 

determine whether said packet can be forwarded by said egress router based on said SGI, 
a destination of said packet and an identifier of said tunnel. 

29. (Original) The computer system of claim 27, wherein said computer code 
configured to cause said processor to determine whether said packet can be forwarded by said 
egress router is further configured to cause said processor to: 

generate an index into an access control list (ACL), wherein 

said ACL comprises information regarding whether said packet can be forwarded 
by said egress router, and 

said index includes said identifier of said tunnel; and 
access said ACL using said index. 
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30. (Currently Amended) A computer program product comprising: 

a first set of instructions, executable on a computer system, configured to assign a 

security group identifier (SGI) to a packet; 
a second set of instructions, executable on said computer system, configured to classify 

said packet based on said SGI; [[and]] 
a third set of instructions, executable on said computer system, configured to 

determine a routing of said packet wherein said determining is based on said 

SGI; 

a fourth set of instructions, executable on said computer system, configured to 

forward said packet via said tunnel, if forwarding a packet having said SGI 
via said tunnel is permitted; and 

computer readable storage media, wherein said computer program product is encoded in 
said computer readable storage media. 

31. (Currently Amended) The computer program product of claim 30, wherein said 
second set of instructions is further configured to generate a classification of said packet, and 
further comprising: 

a third fifth set of instructions, executable on said computer system, configured to 
determine whether said packet can be sent via a tunnel based on said 
classification. 

32. -33. (Cancelled) 

34. (Currently Amended) The computer program product of claim 31, wherein said 
third fifth set of instructions comprises: 

a first subset of instructions, executable on said computer system, configured to generate 
an index, wherein said index comprises said SGI; and 

a second subset of instructions, executable on said computer system, configured to use 
said index to access an access control list (ACL), wherein said ACL includes 
information as to whether said packet can be sent via a tunnel. 
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35. (Original) The computer program product of claim 34, wherein said information 
comprises: 

an SGI field; and 

a tunnel identifier field. 

36. (Currently Amended) The computer program product of claim 30, further 
comprising: 

a third fifth set of instructions, executable on said computer system, configured to 
forward said packet from an ingress router to an egress router via a tunnel. 

37. (Currently Amended) The computer program product of claim 36, further 
comprising: 

a third sixth set of instructions, executable on said computer system, configured to 

receive said packet at said egress router; and 
a fourth seventh set of instructions, executable on said computer system, configured to 

determine whether said packet can be forwarded by said egress router based on 

said SGI. 

38. (Currently Amended) The computer program product of claim 37, wherein said 
fourth seventh set of instructions comprises: 

a first subset of instructions, executable on said computer system, configured to 

determine whether said packet can be forwarded by said egress router based on 
said SGI, a destination of said packet and an identifier of said tunnel. 

39. (Currently Amended) The computer program product of claim 37, wherein said 
fourth seventh set of instructions comprises: 

a first subset of instructions, executable on said computer system, configured to generate 
an index into an access control list (ACL), wherein 

said ACL comprises information regarding whether said packet can be forwarded 

by said egress router, and 
said index includes said identifier of said tunnel; and 
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a second subset of instructions, executable on said computer system, configured to access 
said ACL using said index. 

40. (Currently Amended) An apparatus comprising: 

means for assigning a security group identifier (SGI) to a packet; [[and]] 
means for classifying said packet based on said SGIi 

means for determining a routing of said packet wherein said means for determining 
is configured to use said SGI in determining said routing: and 

means for forwarding said packet via a tunnel identified by said routing, if 
forwarding a packet having said SGI via said tunnel is permitted . 

41 . (Original) The apparatus of claim 40, further comprising: 

means for determining whether said packet can be sent via a tunnel on based a result 
generated by said means for classifying said packet. 

42. (Cancelled) 

43. (Currently Amended) The apparatus of claim [[42]] 41, further comprising: 
means for forwarding said packet via said tunnel, operable wherein said means for 

forwarding is configured to forward said packet via said tunnel if forwarding 
a packet having said SGI via said tunnel is permitted. 

44. (Original) The apparatus of claim 41 , wherein said determining comprises: 
means for generating an index, wherein said index comprises said SGI; and 
means for using said index to access an access control list (ACL), wherein said ACL 

includes information as to whether said packet can be sent via a tunnel. 

45. (Original) The apparatus of claim 44, wherein said information comprises: 
an SGI field; and 

a tunnel identifier field. 
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46. (Currently Amended) The apparatus of claim 40, further comprising; wherein 
said means for forwarding said packet is configured to forward said packet from an 

ingress router to an egress router via [[a]] said tunnel 

47. (Original) The apparatus of claim 46, further comprising: 
means for receiving said packet at said egress router; and 

means for determining whether said packet can be forwarded by said egress router based 
on said SGI. 

48. (Original) The apparatus of claim 47, wherein said means for determining 
whether said packet can be forwarded further comprises: 

means for determining whether said packet can be forwarded by said egress router based 
on said SGI, a destination of said packet and an identifier of said tunnel. 

49. (Original) The apparatus of claim 47, wherein said means for determining 
whether said packet can be forwarded further comprises: 

means for generating an index into an access control list (ACL), wherein 

said ACL comprises information regarding whether said packet can be forwarded 

by said egress router, and 
said index includes said identifier of said tunnel; and 

means for accessing said ACL using said index. 
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